New Offer for TRICARE Breach Victims

TRICARE, the military health program, has directed its business associate, Science Applications International Corp., to offer one year's worth of free credit monitoring and restoration services to the 4.9 million beneficiaries affected by a recent breach.

Earlier, TRICARE had announced that it would not offer credit monitoring services, citing the minimal risk involved in the breach, which involved backup tapes stolen from an SAIC employee's car (see: TRICARE Breach Notification in Works).

"SAIC will also conduct an analysis of all available data to help TRICARE determine if identity theft occurs due to the data breach," says Austin Camacho, chief of public affairs for TRICARE Management Activity.

Letters notifying victims about the breach and offering free credit monitoring are being mailed this month, Camacho says. SAIC confirmed earlier that it is picking up the notification costs.

A TRICARE statement on the organization's website, updated the afternoon of Nov. 4, confirms the offer of free credit monitoring through SAIC. The letter does not make it clear why TRICARE changed its position on offering credit monitoring. But in a news release, Brigadier General W. Bryan Gamble, TRICARE Management Activity deputy director, says, "We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach."

A class action lawsuit has been filed against the Department of Defense and TRICARE, alleging "intentional, willful and reckless violations of the privacy rights" of the beneficiaries as a result of the breach. It seeks $1,000 in damages for each person affected, or a potential total of $4.9 billion. The lawsuit also sought to force TRICARE and DoD to offer free credit monitoring.

TRICARE Incident Details

The TRICARE breach is the largest reported since the HIPAA breach notification rule went into effect in September 2009. The Defense Department's TRICARE healthcare program, which serves active-duty troops and their dependents, as well as military retirees, said SAIC reported backup tapes were stolen from the car of an SAIC employee that was parked outside an SAIC facility in San Antonio.

Information on the breached tapes about patients treated in San Antonio-area military facilities may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, TRICARE reported. The tapes did not contain any financial data.

In the wake of the TRICARE incident, the DoD and two other government agencies issued a proposed rule designed to help ensure that government contractors provide adequate privacy training to their staff members (see: Training Proposed After TRICARE breach ).

Breach Tally Grows

With the addition of the recent TRICARE and Nemours breaches to the federal tally, the government now estimates that more than 18 million individuals have been affected by health information breaches since September 2009.

On Nov. 4, the Department of Health and Human Services' Office for Civil Rights updated its "wall of shame" tally of major health information breaches to include these two incidents.

The Sept. 13 TRICARE breach affected almost 5.2 million individuals, according to the updated federal tally. But Comacho says that figure is inaccurate. TRICARE initially informed OCR that 5.2 million were affected, but lowered its estimate to 4.9 million once it removed duplicates, he stresses.

The Aug. 10 breach at Nemours, a children's health system, affected slightly more than 1 million, according to the federal tally. But Nemours spokesman John Grabusky says the incident actually affected 1.6 million, as it originally announced. That figure includes about 1 million patients, plus guarantors, vendors and employees. So it appears that OCR only included the patients in its tally.

The OCR tally now lists 364 breach incidents affecting a total of about 18.2 million individuals. The list accounts for incidents affecting 500 or more individuals that have occurred since the HIPAA breach notification rule took effect.

Officials at OCR said Nov. 4 that they could not comment on the details of the tally for the TRICARE and Nemours incidents until consulting with investigators.

Nemours Breach

In the Nemours incident, a locked cabinet containing three unencrypted back tapes was reported missing. The cabinet is believed to have been removed during a facility remodeling project, Nemours said in a statement.

Notification is expected to be completed the week of Nov. 7, Grabusky says. The cabinet and tapes have not yet been recovered, and it has no evidence the tapes have been accessed, he adds.

Nemours is taking steps to improve security, including encrypting backup tapes, storing nonessential backup tapes at a secure offsite facility, increasing physical security for tapes stored onsite, and "enhancing backup tape destruction protocols," Grabusky says. The organization has hired an independent consultant "to do a best practice audit for backup tapes," he adds. That could lead to further changes in data storage policies.

About the Author

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.